Top 54 Phishing Attack Statistics & Latest Trends for 2024

Criminals have always found creative ways to trick people, but as scams have moved online, they’ve become more sophisticated — and often more devastating. Cybercrime now impacts millions worldwide, and phishing attacks remain by far the most common way for cybercriminals to target victims.

In this article, we present some of the most important phishing statistics in various categories.

• Virtually all organizations surveyed — 94% — experienced phishing attacks in 2023.
• The motivation behind 95% of data breaches is financial.
• 74% of successful phishing attacks were at least partly attributable to human error. 
• 493.2 million phishing attacks were recorded in Q3 2023 — up from 180.4 million the previous quarter. 
• 91% of security managers surveyed about phishing attacks are not confident about the effectiveness of traditional security training.
• The volume of phishing emails has increased by an astounding 1,265% since ChatGPT was released in November 2022.
• In 2023, internet users in Vietnam experienced a phishing attack rate of 18.9%.

Phishing is a form of social engineering that involves targeting individuals with messages that claim to be from legitimate sources and attempt to persuade the recipients to reveal sensitive information, such as passwords and credit card numbers. It’s a form of cyberattack that’s been around since the mid-1990s, but the methods used have become increasingly sophisticated.

Phishing attacks show no signs of abating. Email remains the main vector of these attacks, but they can also be perpetrated through SMS messages, social networks, and messaging apps. Regardless of the medium, phishing is a threat that cannot be ignored.

• In Q3 2023, phishing attacks rose 173% from the previous quarter (493.2 million vs. 180.4 million). 
• 94% of organizations surveyed were targeted by phishing attacks in 2023.
• Since ChatGPT launched at the end of 2022, the volume of phishing emails has risen by a whopping 1,265%. Credential phishing continues its stratospheric rise with a 967% increase, driven mostly by the demands of ransomware groups seeking access to companies in exchange for money. 
• Smishing (SMS phishing) haa increased to 39% of mobile threats.
• 10 million TOAD (telephone-oriented attack delivery) messages are sent every month. These call-back phishing messages guide victims into revealing sensitive information and credentials.
• The median time for users to fall for phishing emails is less than 1 minute: The median time to click on a malicious link after opening an email is 21 seconds, and it takes just another 28 seconds for the target to supply the requested information.
• 77% of infosec professionals surveyed said they had been subject to phishing attacks themselves.
• 28% of phishing attacks in 2023 were made via text message.
• Mobile credential phishing comprised 41% of mobile threats in 2023.
• Cybercriminals send an estimated 3.4 billion phishing emails per day, making it the single most common form of cybercrime. 

All phishing attacks seek to convince the recipients to part with confidential or sensitive information. How they deliver these messages has evolved since 1995, when hackers impersonating AOL staff sent instant messages to victims asking them for their passwords. Here’s what phishing looks like today:

• The FBI’s Internet Crime Complaint Center (IC3) found that business e-mail compromise (BEC) caused $50.8 billion in losses between October 2013 and December 2022. In a BEC attack, an attacker pretends to be an employee, vendor, or other trusted party to trick the target into sending money or other privileged information.
• BEC attacks fell in English-speaking countries last year, but they continue to increase in  Japan (35%), Korea (31%), and UAE (29%).
• 68% of all phishing emails since the end of 2022 leveraged text-based BEC tactics, which exacerbates fears about the contribution of chatbots and jailbreaks to the exponential growth of phishing. Cybercriminals can launch sophisticated attacks faster with the aid of AI. 
• Malicious links included in messages remain the #1 phishing tactic, comprising 35.6% of threats. 
• The number of QR codes embedded in images and PDFs within phishing emails increased in Q3 of 2023, probably because they are more difficult for security technology to detect than raw email content.
• PDFs remain the most common phishing email attachment for attackers, comprising almost 50% of the malicious file extensions observed in Q3, 2023.
• Hybrid vishing (voice phishing) emerged as an attack type during the second quarter of 2023, with 5% of response-based attacks fitting this category. Hybrid vishing attacks generally start as an email informing the recipient they have been charged for a product or service and telling them to call a phone number if they wish to cancel the order and get a refund. 
  • PayPal was the most common brand cited fraudulently in these attacks (38%)
  • Geek Squad, McAfee, and Norton/LifeLock were the next most common (19%)

• Phishing-as-a-service (PhaaS) is a model of phishing that has been supplying pay-per-use phishing kits such as EvilProxy to launch attacks since mid-2022. These toolkits include all the infrastructure required for a campaign, such as scripts, a web server, storage, and templates. 
  • 1 million-plus attacks are launched with the EvilProxy framework every month.

The range of techniques cybercriminals use to extract sensitive information from targets is vast. You’ll still see emails in your spam purporting to be from exiled royals who promise huge bounties in return for temporary access to your bank account while they negotiate their escape from hostile regimes. But these examples show how sophisticated phishing attacks have become: 

• Between March 2022 and March 2023 (when Microsoft patched a vulnerability in Microsoft Outlook), Russian cyber espionage group Fancy Bear used sophisticated spear-phishing emails to get access to NT LAN Manager authentication sessions from targets. This authentication data was then used to connect to Exchange servers and change additional high-value account mailbox permissions through the Exchange Web Services protocol.
• Russian hacker group Cozy Bear has been using Microsoft Teams messages to phish for credentials to get MFA tokens for Microsoft 365 accounts since at least late May 2023.
• Threat actor group Scattered Spider uses multiple social engineering techniques, especially phishing, for financially motivated attacks. They use SMS phishing (smishing) and voice phishing (vishing) to solicit credentials, which they then use in calls to help desks to persuade support personnel to supply password and/or MFA resets for targeted accounts. 
• A multistage campaign against MGM Resorts International in Q3 2023 started with a simple hotel reservation. The attackers then used the booking confirmation to start a chain of emails in which they stole hotel profiles and used them to target hotel clients.

To get victims to part with the information they are looking for, attackers need to convince those victims the phishing message is authentic. One way to do this is to impersonate a well-known brand.

• Facebook and Microsoft have been number #1 and #2, respectively. of the most impersonated brands for phishing attacks since 2020. 
• In Q3 2023, Facebook was not only the most impersonated brand, but it also experienced increases in phishing URLs of more than 100% compared with the previous two quarters. 
• Bank of America was the third most impersonated brand during the same period and the most impersonated financial services company overall.

Some industries are more prone to phishing attacks than others. Sectors that accumulate large amounts of sensitive data relating to identity and finance are particularly susceptible. 

• In 2023, 16.5% of phishing attacks targeted global internet portals.
• In the same period, phishing attacks on web services comprised 14.7% of all attacks globally. 
• Online stores and banks ranked third and fourth, attracting 12.2% and 11.3% of attacks, respectively.

Some countries are more subject to phishing attacks than others. Last year, phishing-attack rates were concentrated in Vietnam, Peru, and Taiwan.

• The phishing rate among internet users in Vietnam was 18.9% in 2023
• Peru’s attack rate was 17%
• Taiwan was the third-most targeted country, at 15.6%

Phishing attacks originate from diverse global locations and are deliberately hard to source. The World Cybercrime Index has identified the countries most involved in cybercrime attacks and ranks them as follows:

1. Russia
2. Ukraine
3. China
4. The United States
5. Nigeria

Phishing attacks focus on data theft and financial gain. However, victim organizations not only lose critical data and experience substantial financial losses, they can also suffer serious reputational damage.

• The median financial loss associated with ransomware and other extortion attacks was $46,000 in 2023, ranging between $3 and $1,141,467 for 95% of cases.
• Spear-phishing emails (addressed to particular individuals or organizations) comprise less than 0.1% of all emails sent but prompt 66% of all data breaches.

Of the organizations that fell victim to spear-phishing in 2023:

• 55% had their machines infected with malware or viruses
• 49% had sensitive information stolen
• 48% experienced account takeover or credential theft
• 39% experienced direct monetary loss
• Whaling attacks target high-level executives under the guise of legitimate, trusted entities and solicit highly sensitive information or wire transfers to fraudulent accounts. Incidences of whaling rose substantially following the shift to remote work in 2020, increasing by 131% between Q1 2020 and Q1 2021.
• 39% of employees duped by a phishing attack were fired.

To succeed, phishing attacks need certain factors to be in place. And these tend to center on human error. 

• The most common mistake associated with virtually all successful phishing attacks is negligence, recorded in 98% of cases in 2023.
• Stolen credentials were involved in 86% of cases.
• Sending information to the wrong recipient contributed to 43% of errors associated with breaches in 2023.
• 71% of working adults concede they have engaged in behavior that could enable phishing — including reusing or sharing passwords, clicking on links from unfamilar senders, or giving credentials to an unreliable source. 
• 96% of individuals who admitted to such risky behavior knew they were taking a risk. 
• Human error is a factor in 74% of total breaches.

Secure email gateways (SEGs) are often relied upon to protect organizations against malicious attacks via email, but not all security professionals agree that they work. The figures suggest that a combination of multifactor authentication (MFA) and proper security training across the entire organization are among the best ways to protect against phishing attacks.

• 91% of cybersecurity managers surveyed are concerned about their SEG.
• 90% are worried about the effectiveness of static email data loss prevention (DLP).
• 91% have misgivings about the effectiveness of traditional security training.
• 89% of security professionals believe MFA provides complete protection against account takeover.
• 63% of security professionals believe that the biggest cybersecurity risk comes from users who have access to critical business data. 

Sources

• Top cybersecurity statistics, trends, and facts
• Q3 2023 Phishing and Malware Report
• APWG Phishing Activity Trends Report Q2 2023
• Must-know phishing statistics for 2024
• 2024 State of the Phish Report
• Taking on EvilProxy: Advancements in Phishing Protection
• 2024 Data Breach Investigations Report | Verizon
• 2023 Phishing Threats Report
• 2023 Spear-Phishing Trends
• Trends in phishing attacks on organizations in 2022–2023
• Worldwide organizations most targeted by phishing attacks in 2023, by industry
• Countries most targeted by phishing attacks worldwide in 2022
• Mapping the global geography of cybercrime with the World Cybercrime Index
• 2024 Email Security Risk Report
• Top Phishing Statistics for 2024: Latest Figures and Trends